You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Introduction

The primary purpose of identity management systems is to manage data belonging to users; it is common practice in such systems to define as well entities called roles that helps in defining and enforcing security policies. In addition to this, Syncope explicitly represents the fact that users can be assigned to roles by mean of memberships.

In summary, Syncope manages data about three kind of entities:

  1. User
  2. Role
  3. Membership

When saying "data", Syncope refers to a collection of so-called attributes.

This means that Syncope will manage User attributes, Role attributes and Membership attributes.

Attribute

An attribute is a (key,values) pair where

  • key is a string label (i.e. Surname)

  • values is a (possibly singleton) collection of data (i.e. [Doe] but also [john.doe@syncope-idm.org, jdoe@gmail.com])

An attribute can be:

  • a plain attribute
    when values are stored into Syncope internal storage
  • a derived attribute
    when value is obtained by evaluating a JEXL expression combining values of plain attributes
  • a virtual attribute
    when value is not stored into Syncope internal storage but in an external resource

This means that Syncope will manage plain attributes, derived attributes and virtual attributes for users, roles and memberships.

The type of values that can be assigned to each attribute is defined by schemas.

Schema

An attribute schema describes the values that attributes with that schema will held:

  • type (String, Enum, Boolean, Long, Double, Date)
  • whether values must respect UNIQUE constraint or not
  • whether values must be singleton or not
  • whether providing a value is mandatory or not
  • whether input is accepted or not (read-only)
  • whether values must be validated by some provided validator (like as EMailAddressValidator)
  • how non-string values must be converted into / parsed from strings (conversion pattern)

This means that Syncope will manage schemas, derived schemas and virtual schemas for users, roles and memberships.

Schema Mapping

If Syncope was only able to define schemas and manage attributes for its internal storage, there would have been little to profit from by deploying an IdM solution.

One of most important features is about to link such attributes to external resources (LDAP server, Database, ...) so that propagation and synchronization can take place effectively.

  • No labels

Questions? Just send an e-mail to user@syncope.apache.org